Corpus Analytics
Visual breakdown of 147 CVEs across 64 drivers -- what gets exploited, how often, and where the patterns cluster.
CVEs by Driver Family
The top 10 driver families account for roughly 68% of the corpus. clfs.sys leads at 15, followed by ntoskrnl.exe and the Kernel Streaming stack at 14 each, then afd.sys at 13.
FIG — CVEs by Driver Family (Top 10)
"win32k family" combines win32k.sys, win32kbase.sys, and win32kfull.sys. "KS stack" combines ks.sys, ksthunk.sys, and mskssrv.sys. Remaining 47 CVEs span 54 additional drivers.
Kernel CVE Volume by Year
Windows kernel-mode components average 90--140 CVEs per year. The chart below counts every CVE in the NVD whose description mentions a kernel-mode component -- ntoskrnl, win32k, CLFS, AFD, NTFS, TCP/IP, DWM, cloud files mini-filter, or kernel-mode driver.
FIG — Windows Kernel-Mode CVEs by Year (NVD)
Counts from NVD keyword search across kernel-mode component descriptions. 2017's spike coincides with Microsoft's switch from security bulletins to per-CVE advisories. 2026* is partial (Jan--Feb only).
Annual volume stays between 90 and 140 with no clear upward trend since 2017. The swings mostly track advisory timing rather than actual changes in the kernel's attack surface. Microsoft's 2017 shift from monthly bulletins to individual CVE IDs pushed that year's count up artificially. The 2019 and 2021 dips coincide with lighter Patch Tuesday months, not fewer vulnerabilities.
Corpus Coverage
The KernelSight corpus samples 147 of roughly 1,200 kernel-mode CVEs disclosed since 2015 -- about 12%. The sampling is deliberate: the corpus tracks CVEs that have published exploit research, not a random cross-section of Patch Tuesday fixes.
| Period | NVD Total | Corpus | Coverage |
|---|---|---|---|
| 2015--2021 | 689 | 12 | 1.7% |
| 2022 | 92 | 9 | 9.8% |
| 2023 | 105 | 17 | 16.2% |
| 2024 | 110 | 23 | 20.9% |
| 2025 | 129 | 72 | 55.8% |
| 2026 (partial) | 27 | 14 | 51.9% |
Coverage concentrates on 2025--2026 because those years have the most public exploit writeups. The 2022--2024 jump reflects backfilling CVEs with published exploit research (CLFS ransomware chain, Project Zero registry audit, DEVCORE kernel streaming work). Most pre-2022 entries are BYOVD drivers where the vulnerability existed years before formal CVE assignment.
Vulnerability Class Breakdown
Buffer overflows are most common, followed closely by use-after-free, which dominates the exploited-in-the-wild cases. BYOVD drivers account for most "Arbitrary R/W" entries -- intentional design choices rather than bugs.
FIG — Vulnerability Class Distribution
"EoP (generic)" covers cases where the advisory doesn't specify a memory corruption class. "Process Kill" is the EDR-bypass primitive found in BYOVD anti-cheat and security product drivers.
Exploitation Status
57 exploited in the wild ·
90 not exploited ITW
2 remotely exploitable ·
145 local only
41 third-party BYOVD drivers ·
106 Microsoft inbox drivers
Nearly 39% of the corpus has been exploited in the wild. The two remote CVEs are CVE-2022-21907 (http.sys) and CVE-2024-38063 (tcpip.sys). Everything else requires local access or a BYOVD drop.
BYOVD drivers are over-represented in the ITW column -- they give attackers kernel R/W without any memory corruption. See BYOVD for the full pattern.
Driver x Vulnerability Class Heatmap
Where do specific bug types concentrate? This table crosses the top 8 driver families against the most common vulnerability classes.
| Driver | Buf Ovf | UAF | Race | Type Conf | Info Disc | Arb R/W | Int Ovf | Other |
|---|---|---|---|---|---|---|---|---|
| clfs.sys | 8 | 2 | 1 | 4 | ||||
| ntoskrnl | 2 | 3 | 2 | 1 | 2 | 4 | ||
| afd.sys | 1 | 7 | 3 | 1 | 1 | |||
| win32k | 5 | 3 | 2 | 1 | 1 | |||
| KS stack | 4 | 2 | 1 | 1 | 2 | 4 | ||
| cldflt | 3 | 2 | 2 | 2 | ||||
| dwmcore | 2 | 1 | 1 | 4 | ||||
| ntfs | 3 | 3 | 1 |
Notable clusters:
- clfs.sys skews buffer overflow. Corrupt on-disk offsets cause OOB writes in the BLF parser, accounting for 8 of 15 CVEs.
- afd.sys skews UAF. Socket teardown races account for 7 of 13 CVEs.
- ntoskrnl.exe spreads across classes. Registry races, UAF, integer overflow, arb R/W, and logic bugs -- no single dominant class across 14 CVEs.
- win32k splits between UAF and races. Callback reentrancy and concurrent window ops feed both.
- ntfs.sys splits between buffer overflow and info disclosure. Crafted VHD images hit both through MFT parsing.
Cross-References
- Case Studies -- full walkthroughs of individual CVEs
- Vulnerability Classes -- taxonomy of the underlying bug types
- Exploit Chain Patterns -- how these bugs become SYSTEM
- BYOVD -- third-party driver exploitation pattern